cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
13
Helpful
12
Replies

Site-to-site VPN issues

Rex Biesty
Level 1
Level 1

Hi, I'm having issues establishing a site-to-site vpn between us and a 3rd party's efility firewall (we're using a Pix 515 running 6.3). Their LAN range is 192.168.2.x but their IT people tell me they're NATting traffic to 217.155.130.97. The tunnel appears to be up but they cannot ping anything at our site. I want them to access 128.31.x.x, 128.51.x.x and 128.60.x.x on our LAN.

Just to complicate matters, I believe this site was set up with some port forwarding rules in the past to allow them access to specific servers on our site.

I've checked the logs and can see traffic from them (on 217.155.130.97) going to 128.51.0.9 which I believe is the port forwarding, but can't see anything else (they have a continuous ping to 128.31.1.78 on our network).

Unfortunately I dont know enough to determine if the port forwarding rules are affecting the site VPN, any help would be greatly appreciated.

12 Replies 12

acomiskey
Level 10
Level 10

What do you mean by "appears to be up"? What is working and what's not? Explain what you mean by the port forwarding, I do not see any reference to 128.51.0.9 in your config.

Thanks for the reply.

The 'Appears to be up' comment refers to feedback from the remote site saying that the tunnel appears to be in place at their end. Dont know how to check it on the Cisco but if you could point me in the right direction I'd appreciate it.

The 128.51.0.9 is a typo, sorry, should read 128.51.0.11.

They currently use the following URLs to access selected servers on our site (where 194.70.179.234 is one of our public IP addresses)

http://194.70.179.234:8060/Garp/frameset

http://194.70.179.234:8360/Garp/frameset

http://194.70.179.234/cgi-bin/imagox/admin/Login.cgi

Sorry I'm a bit vague on this, their existing access was setup before I becase involved with the firewall.

You can do a...

show crypto isakmp sa

show crypto ipsec sa

Does it work this way...

http://128.51.0.11/cgi-bin/imagox/admin/Login.cgi

Result of show crypto isakmp sa is

Total : 12

Embryonic : 1

dst src state pending created

81.144.184.37 194.70.27.46 MM_KEY_EXCH 0 0

194.70.27.46 81.144.184.34 QM_IDLE 0 2

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 81.144.184.34 QM_IDLE 0 2

194.70.27.46 81.144.184.34 QM_IDLE 0 2

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 host217-155-130-97 QM_IDLE 0 0

194.70.27.46 host217-155-130-97 QM_IDLE 0 0

194.70.27.46 Metalogic_Warwick_Public QM_IDLE 0 0

Result of show crypto ipsec sa is quite large, what am I looking for on it?

Do you want

http://

or

http://?

You currently have a static for 194.70.179.234 to 128.51.0.11, but you also have a nat 0 for traffic from 128.51.0.11 to Metalogic_Support_Host.

I'm trying to set up a site-to-site so access would be to private IP addresses on our networks (i.e. all addresses on 128.31.0.0, 128.51.0.0 and 128.60.0.0). I've already done this sucesfully for another of their sites (Metalogic_Warwick_Public). I think the rules you mention are possibly related to their old setup.

I understand, so are they trying http://128.51.0.11/cgi-bin/imagox/admin/Login.cgi or http://194.70.179.234/cgi-bin/imagox/admin/Login.cgi ? Also bear with me a little bit if I'm asking a lot of questions, it's much more difficult to troubleshoot a config with a lot of network objects and names.

I appreciate your help and have no problem with you asking as many questions as is needed (it is a complcated setup I know and one I've only have a limited involvement with until now).

At the moment http://194.70.179.234/cgi-bin/imagox/admin/Login.cgi works. I dont know if http://128.51.0.11/cgi-bin/imagox/admin/Login.cgi works yet as I'm awaiting feedback. However, if they try to ping another device on our network (e.g. 128.31.1.78) they get no reply and it's this that we're trying to get working.

Are the pings coming from 217.155.130.97 or 192.168.2.x ?

Their pings should show as coming from 217.155.130.97 as their IT folk say their internal traffic is being NATted to that address. I've checked the logs for traffic from 192.168.2.x also (in case their IT dept are telling my untruths) but nothing there.

Hi, was wondering if you've got any further forward with this, thanks.

Is it possible to get some logs going while you try to pass traffic over the tunnel? Any chance of getting the config from the remote peer as well? Their nat exemption traffic should be a mirror image of yours etc.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: